Hackers are actively exploiting a essential vulnerability (CVE-2026-3300) within the Everest Varieties Professional plugin, which lets them take full management of a WordPress web site.
The safety difficulty impacts variations 1.9.12 and earlier of the plugin and will be leveraged with out authentication to execute arbitrary code on the server.
Everest Varieties Professional is a business add-on for the WordPress kind builder plugin Everest Varieties. It’s used to create contact, registration, fee, and different customized software types.
The CVE-2026-3300 vulnerability is within the plugin’s Complicated Calculation function, which accepts values submitted by means of kind fields and inserts them right into a PHP code string. Then, it executes the ensuing code utilizing PHP’s ‘eval ()’ perform.
Though person enter is handed by means of a ‘sanitize_text_field()’ perform, which doesn’t escape single quotes (‘) or different characters that affect PHP syntax.
In consequence, an attacker can shut the supposed string, inject arbitrary PHP code, and remark out the remaining generated code to attain code execution on the server.
Telemetry knowledge from Wordfence firewall and malware scanner for WordPress reveals that the vulnerability is being exploited within the wild to create rogue administrator accounts.
“The attacker submits a worth for a textual content subject that begins with a single quote to shut the wrapping string literal, adopted by a PHP assertion that calls wp_insert_user() to create a brand new administrator account with the username ‘diksimarina’,” explains a report from Wordfence.
“The trailing // remark marker ensures the remainder of the generated PHP code, together with the closing quote, is handled as a remark and doesn’t trigger a syntax error.”
“When the shape is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.”
Administrator-level entry offers attackers full energy to carry out high-risk actions on the breached web site, together with modifying content material, putting in plugins and themes, planting backdoors and webshells, and accessing non-public databases.
Researcher h0xilo submitted the CVE-2026-3300 vulnerability by means of Wordfence in February, and on March 18, the Everest Varieties developer launched a patch that addresses the problem.
In response to Wordfence knowledge, energetic exploitation began on April 13, with the firewall blocking over 29,300 makes an attempt.
Supply: Wordfence
Wordfence says exploitation makes an attempt originate primarily from two IP addresses, 202.56.2[.]126 and 209.146.60.26, and recommends defenders block them.
Nevertheless, Wordfence’s report gives a number of offending IP addresses as indicators of compromise (IOCs).
Web site directors are additionally really helpful to evaluation log information and administrator accounts for any suspicious exercise, particularly containing the string “diksimarina.”
Safety groups log 54% of profitable assaults and alert on simply 14%. The remainder transfer by means of your atmosphere unseen.
The Picus whitepaper reveals how breach and assault simulation assessments your SIEM and EDR guidelines so threats cease slipping by detection.
